Good nit. Parasitism implies that one party benefits while the other is adversely affected.
That's exactly my point, except that it goes both ways. Commensalism connotes some degree of reasonableness. A natural alliance of Big Blue and unwashed hackers is not "reasonable". They do not like each other. They do not understand or appreciate where the other side is coming from. One side does gain at the other's expense, but if it's big gains and small losses going both ways,...
Symbiosis can be defined as mutual parasitism. If this isn't botched too badly, both sides come pretty close to getting "something for nothing". Actually, seems like IBM's major contributions have been low-profile down-in-the-trenches stuff that everyone else benefits from more than IBM. From IBM's perspective, if you have a goose that lays golden eggs, it's probably not a good idea to scrimp on chicken feed.
The viruses are attachments that students open and have nothing to do with Outlook's behavior
Wrong. They have everything to do with Outlook's behavior. And Microsoft Word. And Microsoft Excel. And the behavior of Microsoft Windows in general.
Everything is the system is geared towards having the users click on everything. Suddenly they're supposed to be smart enough to not click on worms and viruses?
Unfortunately, the real world is asynchronous and it doesn't really work to say "Stop the world, I've got some computing to do".
it's also easy -- quite seductively easy -- to try to write excessively complex, multithreaded systems that are too complicated for you or anyone else to understand, You're right, but methinks you understate the case.
You need programmers with a good background in real-time and concurrent programming, who understand the hazards and how to avoid them.
Agreed. Including all the places that look innocent but are capable of encountering such hazards. Including the pathological cases where innocent-looking code can have extremely evil consequences. Including code that looks dangerous but is in fact safe. Including code that looks safe but is in fact dangerous.
take this formal description and produce a rigorous proof of some property,.g., that some state is never reached... and then have the system go beserk when that state is reached.
The problem is that while you can get a rigorous proof (Wasn't the parallel postulate "proved" in the 13th centery or so?) of the formal description, you have nothing remotely like a proof, formal or otherwise, that the formal description actually matches reality.
That's like saying that a building is a trivial set of nails in pieces of wood, or just a bunch of bricks with mortar.
The pieces taken in isolation may be trivial, but such as "Is it the right building? In the right place?" are not. The nail may support the pieces of wood it is nailed into, but what about supporting everything that the wood supports? Disktra's comment is that most software is designed only to the level of the trivial. He makes no assertion that there is anything trivial about an assemblage of trivial things. A single bit is about as trivial as you can get. A complex program is nothing more than a sequence of those trivial bits.
If someone were to attach a "your_paper.sh" and if someone did fire it up, it will definitely do damage...and anything that user has rights to becomes fair game...
If the machine is multi-user...
So, set up a run-viruses-here user. World Writeable. Insecure compared to/tmp
I don't mind running a virus, but why would I want to do so as myself. The advantage of a multi-user system is that I can simultaneously be several different "users" on several different machines and keep some degree of sanity.
Technological solutions just create an arms race, and we've seen how well that works.
So we get an arms race between Open Source viruses (with scant resources) and Closed Source anti-viruses (with corporate level resources). Methinks this will get interesting.
But how long will it be before the viruses generate more realistic looking emails?
They're getting better, but methinks the same old rules apply. Why is this thing here and why does it want me to look at it? If the mail is important enough for me to look at it, it is important enough for the sender to give specific knowledgable information. Hey Stupid, you forgot something should work only if it says what it is that I forgot.
The real prank is if the April Fools joke turns out to be real. I know there have been a few times when I would have dearly loved to be able to google my filed correspondence.
NO MAJOR OPERATING SYSTEM AVAILABLE PROTECTS AGAINST APPLICATION BUFFER OVERFLOWS.
Seems like Burroughs' BALGOL did a good job of it, at the hardware level. I don't know how you would do an application buffer overflow in a decent LISP system. Intel I386 architecture would protect if the OS would use the segment registers instead of doing strange things to avoid them.
when the worm arises that compromises a cross-platform software package, like Apache? If it infects Apache on Microsoft Windows and Apache on IBM mainframes, then it is an Apache worm. If it infects Apache on Microsoft Windows and Apache on Linux on x86, then it is an Intel worm. If it infects Apache on Microsft Windows, then it is a Microsoft Windows worm. No hand-waving. The scope of the worm determines how to classify it.
Whether a security hole was discovered in Zonealarm, Blackice, or in any other Windows program, unless the bug was caused by a problem with Windows itself, it is not in itself a Windows worm.
Whether a security hole was discovered in... or other COMPUTER program, unless the bug was caused by a problem with THE COMPUTER ITSELF, it is not in itself a COMPUTER worm.
A worm or virus on a computer is a computer worm or virus. A worm or virus on a Microsoft Windows computer is a Microsoft Windows worm or virus.
Methinks that blacklisting the spammers is a good idea if (only if?) whoever is maintaining the blacklist is smarter and sneakier than the spammers. I suspect that anything automated will do more harm than good because there will always be ways to use it in ways that were not originally intended. Automated tar pits might be workable. The first few go through normally but the more that try, the slower the system gets. Reporting spam could work, but you need a cadre of more or less anonymous volunteers who in bulk can be trusted and not easily fooled. Something like grabbing the low-numbered slashdot accounts would be ideal.
But when you buy a business, part of what you're paying for is Goodwill. With SCO, there is no goodwill. There is only Ill will. From a number of sources.
To the contrary, their entire pricing model is based on charging you extra for those capabilities.
Companies work better when everything follows the same normal flow. It's a "Special orders do upset us" kind of thing. You can make a few bucks (very few) at a large cost to the company's sense of direction and identity. Hackers are a very useful market, particularly if you are willing to run it at a slight loss. There is no way you will make a lot of money from hackers. They don't have all that much to spend and they are very clever at not spending it. You make the money selling to the masses who aren't willing to spend the time and trouble that the hackers are willing to spend.
in implying the the customers at large wish to hack products.
It's not that we (I'd count myself as more in the non-hacking community) want to hack it ourselves. We want you to hack it so we eventually get to see the benefits, without even going to any trouble!
Something that is non-hackable is pretty much a dead end.
WRONG! The effects are small and subtle, but persistent. There is a difference between something that is worth hacking (to the hackers) and something that is more trouble than it's worth (to the hackers). You don't make money (directly) from the hackers. You gain from reputation and sales to the masses. A lot of things "just working" comes from hackers messing with the stuff. The hackers function somewhat as R&D, but they are working at their own pace for their own interests. It costs very little to make stuff "hacker-friendly" and sometimes you gain a lot more than you spend.
Slashdot Mirror
Good nit.
...
Parasitism implies that one party benefits while the other is adversely affected.
That's exactly my point, except that it goes both ways.
Commensalism connotes some degree of reasonableness. A natural alliance of Big Blue and unwashed hackers is not "reasonable". They do not like each other. They do not understand or appreciate where the other side is coming from. One side does gain at the other's expense, but if it's big gains and small losses going both ways,
Symbiosis can be defined as mutual parasitism.
If this isn't botched too badly, both sides come pretty close to getting "something for nothing".
Actually, seems like IBM's major contributions have been low-profile down-in-the-trenches stuff that everyone else benefits from more than IBM.
From IBM's perspective, if you have a goose that lays golden eggs, it's probably not a good idea to scrimp on chicken feed.
It's worse than that. The problem is that, for all but the most trivial of problems, you can't have a concrete set of requirements.
Bingo. Without a functioning system you can't even comprehend what the requirements need to be.
The viruses are attachments that students open and have nothing to do with Outlook's behavior
Wrong. They have everything to do with Outlook's behavior. And Microsoft Word. And Microsoft Excel. And the behavior of Microsoft Windows in general.
Everything is the system is geared towards having the users click on everything. Suddenly they're supposed to be smart enough to not click on worms and viruses?
It's easy to avoid race conditions:
Right. Just one step at a time.
Unfortunately, the real world is asynchronous and it doesn't really work to say "Stop the world, I've got some computing to do".
it's also easy -- quite seductively easy -- to try to write excessively complex, multithreaded systems that are too complicated for you or anyone else to understand,
You're right, but methinks you understate the case.
You need programmers with a good background in real-time and concurrent programming, who understand the hazards and how to avoid them.
Agreed. Including all the places that look innocent but are capable of encountering such hazards. Including the pathological cases where innocent-looking code can have extremely evil consequences. Including code that looks dangerous but is in fact safe. Including code that looks safe but is in fact dangerous.
take this formal description and produce a rigorous proof of some property, .g., that some state is never reached ... and then have the system go beserk when that state is reached.
The problem is that while you can get a rigorous proof (Wasn't the parallel postulate "proved" in the 13th centery or so?) of the formal description, you have nothing remotely like a proof, formal or otherwise, that the formal description actually matches reality.
That's like saying that a building is a trivial set of nails in pieces of wood, or just a bunch of bricks with mortar.
The pieces taken in isolation may be trivial, but such as "Is it the right building? In the right place?" are not. The nail may support the pieces of wood it is nailed into, but what about supporting everything that the wood supports?
Disktra's comment is that most software is designed only to the level of the trivial. He makes no assertion that there is anything trivial about an assemblage of trivial things. A single bit is about as trivial as you can get. A complex program is nothing more than a sequence of those trivial bits.
Remember, as a geek it is youre duty to use the right Acryonynms and use them in the right places.
DDoS distributed from a single computer.
Seems right to me.
You also have the phenomenon of a single task thrashing.
The main advantage of Microsoft Windows 95 over WfW was that you could get rid of useless help screens with a single click.
If someone were to attach a "your_paper.sh" and if someone did fire it up, it will definitely do damage...and anything that user has rights to becomes fair game ...
...
/tmp
If the machine is multi-user
So, set up a run-viruses-here user. World Writeable. Insecure compared to
I don't mind running a virus, but why would I want to do so as myself.
The advantage of a multi-user system is that I can simultaneously be several different "users" on several different machines and keep some degree of sanity.
Technological solutions just create an arms race, and we've seen how well that works.
So we get an arms race between Open Source viruses (with scant resources) and Closed Source anti-viruses (with corporate level resources).
Methinks this will get interesting.
Wait 'til someone finds an exploit in a popular AV package.
Wait 'til someone uses a popular AV package as an integral part of the exploit.
But how long will it be before the viruses generate more realistic looking emails?
They're getting better, but methinks the same old rules apply.
Why is this thing here and why does it want me to look at it?
If the mail is important enough for me to look at it, it is important enough for the sender to give specific knowledgable information. Hey Stupid, you forgot something should work only if it says what it is that I forgot.
No, for this Windows is appropriate.
The real prank is if the April Fools joke turns out to be real.
I know there have been a few times when I would have dearly loved to be able to google my filed correspondence.
NO MAJOR OPERATING SYSTEM AVAILABLE PROTECTS AGAINST APPLICATION BUFFER OVERFLOWS.
Seems like Burroughs' BALGOL did a good job of it, at the hardware level.
I don't know how you would do an application buffer overflow in a decent LISP system.
Intel I386 architecture would protect if the OS would use the segment registers instead of doing strange things to avoid them.
when the worm arises that compromises a cross-platform software package, like Apache?
If it infects Apache on Microsoft Windows and Apache on IBM mainframes, then it is an Apache worm.
If it infects Apache on Microsoft Windows and Apache on Linux on x86, then it is an Intel worm.
If it infects Apache on Microsft Windows, then it is a Microsoft Windows worm.
No hand-waving. The scope of the worm determines how to classify it.
This leads to the conclusion that firewall/AV software should be included as part of the baseline system,
It's so much easier to infect everything when everything is running firewall/AV software and it is the same firewall/AV software.
Whose side are you on?
Whether a security hole was discovered in Zonealarm, Blackice, or in any other Windows program, unless the bug was caused by a problem with Windows itself, it is not in itself a Windows worm.
... or other COMPUTER program, unless the bug was caused by a problem with THE COMPUTER ITSELF, it is not in itself a COMPUTER worm.
Whether a security hole was discovered in
A worm or virus on a computer is a computer worm or virus.
A worm or virus on a Microsoft Windows computer is a Microsoft Windows worm or virus.
... reading this, does this mean that Windows comes from a dumpster??
Only the better parts.
Methinks that blacklisting the spammers is a good idea if (only if?) whoever is maintaining the blacklist is smarter and sneakier than the spammers. I suspect that anything automated will do more harm than good because there will always be ways to use it in ways that were not originally intended. Automated tar pits might be workable. The first few go through normally but the more that try, the slower the system gets. Reporting spam could work, but you need a cadre of more or less anonymous volunteers who in bulk can be trusted and not easily fooled. Something like grabbing the low-numbered slashdot accounts would be ideal.
SCO would probably like to get bought out.
But when you buy a business, part of what you're paying for is Goodwill. With SCO, there is no goodwill. There is only Ill will. From a number of sources.
To the contrary, their entire pricing model is based on charging you extra for those capabilities.
Companies work better when everything follows the same normal flow. It's a "Special orders do upset us" kind of thing. You can make a few bucks (very few) at a large cost to the company's sense of direction and identity. Hackers are a very useful market, particularly if you are willing to run it at a slight loss. There is no way you will make a lot of money from hackers. They don't have all that much to spend and they are very clever at not spending it. You make the money selling to the masses who aren't willing to spend the time and trouble that the hackers are willing to spend.
in implying the the customers at large wish to hack products.
It's not that we (I'd count myself as more in the non-hacking community) want to hack it ourselves. We want you to hack it so we eventually get to see the benefits, without even going to any trouble!
Something that is non-hackable is pretty much a dead end.
The point he misses is that GEEKS DON'T MATTER.
WRONG!
The effects are small and subtle, but persistent. There is a difference between something that is worth hacking (to the hackers) and something that is more trouble than it's worth (to the hackers). You don't make money (directly) from the hackers. You gain from reputation and sales to the masses. A lot of things "just working" comes from hackers messing with the stuff. The hackers function somewhat as R&D, but they are working at their own pace for their own interests. It costs very little to make stuff "hacker-friendly" and sometimes you gain a lot more than you spend.